PCI Compliance

The Payment Card Industry Data Security Standard (PCI DSS) secures cardholder data that is stored, processed or transmitted by merchants and other organizations. The standard is managed by the PCI Security Standards Council (PCI SSC) and its founders — American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc.

The DSS details 12 requirements that must be met by merchants to be considered “compliant”. Compliance, however, is simply a metric for the true goal of the program: to ensure transaction safety for customers. These requirements are:


Build and Maintain a Secure Network

  • Requirement 1: Install and maintain a firewall configuration to protect cardholder data
  • Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters


Protect Cardholder Data

  • Requirement 3: Protect stored cardholder data
  • Requirement 4: Encrypt transmission of cardholder data across open, public networks


Maintain a Vulnerability Management Program

  • Requirement 5: Use and regularly update anti-virus software
  • Requirement 6: Develop and maintain secure systems and applications


Implement Strong Access Control Measures

  • Requirement 7: Restrict access to cardholder data by business need-to-know
  • Requirement 8: Assign a unique ID to each person with computer access
  • Requirement 9: Restrict physical access to cardholder data


Regularly Monitor and Test Networks

  • Requirement 10: Track and monitor all access to network resources and cardholder data
  • Requirement 11: Regularly test security systems and processes


Maintain an Information Security Policy

  • Requirement 12: Maintain a policy that addresses information security

Each requirement has specific definitions for meeting it, all of which are detailed in the current version of the DSS specification.

Additional Information

Visa Cardholder Information Security Program (CISP)

Mastercard Security Portal

Trustwave Network Scanning and Compliance Validation